From 19f819c14250e234426c035365717b1a921ba81d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krist=C3=B3f=20T=C3=B3th?= <kristof.toth@avatao.com>
Date: Wed, 4 Apr 2018 17:43:18 +0200
Subject: [PATCH] Implement TFW & challenge solver user separation

---
 Dockerfile                                    | 7 +++++--
 lib/tfw/components/terminado_event_handler.py | 3 ++-
 supervisor/supervisord.conf                   | 2 +-
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 17fa426..f05fc33 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -53,14 +53,17 @@ COPY nginx/nginx.conf ${TFW_NGINX_CONF}
 COPY nginx/default.conf ${TFW_NGINX_DEFAULT}
 COPY lib ${TFW_LIB_DIR}
 
+RUN for dir in "${TFW_LIB_DIR}" "/etc/nginx" "/etc/supervisor"; do \
+        chown -R root:root "$dir" && chmod -R 700 "$dir";          \
+    done
+
 ONBUILD ARG BUILD_CONTEXT="."
 ONBUILD ARG NOFRONTEND=""
 
 ONBUILD COPY ${BUILD_CONTEXT}/nginx/components/ ${TFW_NGINX_COMPONENTS}
 ONBUILD COPY ${BUILD_CONTEXT}/supervisor/components/ ${TFW_SUPERVISORD_COMPONENTS}
 
-ONBUILD RUN chown -R ${AVATAO_USER} /var/log/nginx /var/lib/nginx                                          &&\
-            for f in "${TFW_NGINX_DEFAULT}" ${TFW_NGINX_COMPONENTS}/*.conf; do                               \
+ONBUILD RUN for f in "${TFW_NGINX_DEFAULT}" ${TFW_NGINX_COMPONENTS}/*.conf; do                               \
                 envsubst "$(printenv | cut -d= -f1 | grep TFW_ | sed -e 's/^/$/g')" < $f > $f~ && mv $f~ $f ;\
             done
 ONBUILD VOLUME ["/etc/nginx", "/var/lib/nginx", "/var/log/nginx"]
diff --git a/lib/tfw/components/terminado_event_handler.py b/lib/tfw/components/terminado_event_handler.py
index 50245f5..c4d49cc 100644
--- a/lib/tfw/components/terminado_event_handler.py
+++ b/lib/tfw/components/terminado_event_handler.py
@@ -5,6 +5,7 @@ from tfw.components.terminado_mini_server import TerminadoMiniServer
 from tfw.event_handler_base import TriggerlessEventHandler
 from tfw.config import TFWENV
 from tfw.config.logs import logging
+from tao.config import TAOENV
 
 LOG = logging.getLogger(__name__)
 
@@ -14,7 +15,7 @@ class TerminadoEventHandler(TriggerlessEventHandler):
         super().__init__(key)
         self.working_directory = TFWENV.TERMINADO_DIR
         self._historymonitor = monitor
-        self.terminado_server = TerminadoMiniServer('/terminal', TFWENV.TERMINADO_PORT, TFWENV.TERMINADO_WD, ['bash'])
+        self.terminado_server = TerminadoMiniServer('/terminal', TFWENV.TERMINADO_PORT, TFWENV.TERMINADO_WD, ['sudo', '-u', TAOENV.USER, 'bash'])
         self.commands = {'write': self.write,
                          'read': self.read}
         if self._historymonitor:
diff --git a/supervisor/supervisord.conf b/supervisor/supervisord.conf
index 4a14c2b..9efcd76 100644
--- a/supervisor/supervisord.conf
+++ b/supervisor/supervisord.conf
@@ -1,5 +1,5 @@
 [supervisord]
-user=user
+user=root
 logfile = /tmp/supervisord.log
 loglevel = debug
 pidfile = /tmp/supervisord.pid